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lailicCiiuuis- 

Please caned damns 4-7. Please amend claim 3. Please add new claims 23-26. The 
claims arc as follows: 

t. (Original) A method of operating an intrusion detection system, the method comprising the 
steps of: 

taking abase action in response to detecting an intrusion; 
updating an action counter in response to taking the base action; 
comparing the value of the action counter to an action threshold; 
updating an action variable when the value of the action counter meets the action 
threshold; 

checking a validity condition for satisfaction dependent upon the action variable; and 
invoking a provision associated with the validity condition when the validity condition is 
satisfied. 

2. (Original) The method of claim 1, wherein the provision changes an clement of abase 
intrusion, set. 

3. (Currently amended) Trttrrirettod^l™^; Amcjh<^^ 
<yrtftrr>i t he method c omprisinn the stcrjsof; 

tiilMjTiil.hjlVLnr'ti"" , '" ™*pnn*Q detecting an intrusion; 
up dating ™ ^tinn winter in response to t aking the basc jjetion; 

09/901,443 2 



PAGE 3/13 * RCVDAT 1/1912005 11:05:25 AM [Eastern Standard Time] * SVR:USPT0-EFXRF-1/4 * DNIS:8729306 ' CSID: ' DURATION (mm-ss): 03-10 



JAN-19-05 WED 11:26 AM FAX NO. 



rgmparing the va ln.^ nf th~ p*'™ winter to an action thrCsholdL 
JUvjalinC mi wh ™ tha value .Qf the acUgni yiinter meets thcadion 

th reshold : 

checking wli ' " t y ™nriition for MtisfafitkmjLoBfflidgi rt wo" Lhc gc jjpji^paMsLfifld. 

„ r^virinn associated withjhjmiidjtyj-nnrlitinn when the vaUciity cojuhlioniB 
«,,<««fiod wherein the provisionin g nn element of a base intrusion se t, and wherein the 
element of the base intrusion set is ^ctedfamihe g roup consistin g a signature events 
ffjgnftt nrc event cou nter a sian ^™ threshold, a base action, and 3 woiftht . 

4-7. (Canceled) 

8. (Original) The method of claim 1, wherein the provision changes an clement of an action set. 

9. (Original) The method of claim 8, wherein the clement of the action set is an action counter. 

10. (Original) The method of claim 8, wherein the clement of the action set is an action 
tlircshold. 



1. (Original) The method of claim S, wherein the element of the action set is an action variable. 



12. (Original) A method of operating an intrusion detection system, the method comprising the 
steps of: 
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detecting n signature event; 

updating a signature event counter responsive to detecting the signature event; 
comparing the value of the signature event counter to a signature threshold; 
updating an action counter when the value of the signature event counter meets the 

signature threshold; 

comparing the value of the action counter to an action threshold; 

updating an action variable when the value of the action counter meets the action 

threshold; 

checking a validity condition for satisfaction dependent upon the action variable; and 
invoking a provision associated with the validity condition when the validity condition is 
satisfied. 

13. (Original) The method of claim 12, wherein the provision changes an clement of a base 
intrusion set. 

14. (Original) The method of claim 13, wherein the clement of the base intrusion set is a 
signature event. 

15. (Original) The method of claim 13, wherein the clement of the base intrusion set is a 
signature event counter. 

16. (Original) The method of claim 13, wherein the clement of the base intrusion set is a 
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signature threshold. 

17. (Original) The method of claim 13, wherein the clement of the base intrusion set is abase 
action. 

18. (Original) The method of claim 1 3, wherein the clement of the base intrusion set is a weight. 

19. (Original) The method of claim 12, wherein the provision changes an element of an action 
set, 

20. (Original) The method of claim 19, wherein the element of die action set is an action counter. 

21 . (Original) The method of claim 19, wherein the clement of tho action set is an action 
threshold. 

22. (Original) The method of claim 19, wherein the clement of the action set is an action 
variable. 



23. (New) The method of claim 1 , wherein tho action variable is selected from the group 
consisting of a binary variable, an integer- variable, a floating point variable, a fuzzy logical 
variable, and a M-ary variable. 
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24. (New) The method of claim 1, wherein the validity condition includes a mathematical 
expression or a logical expression. 

25. (New) The method of claim 1 , wherein said checking step comprises checking the validity 
condition for satisfaction dependent upon the action variable and upon at least one other action 
variable. 

26. (New) The method of claim 1, further comprising a plurality of rules, wherein a rule of the 
plurality of rules comprises the validity condition. 
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